Routing Registries

I had routing registries on the brain so I wanted to knock some of the rust of recording and did 10 minutes on routing registries and what they are.

if you want to look at some of my older posts on routing registries

Routing Registries and you

Transit, peer, upstream. What do they all mean?

 

Routing Registries and you

This was originally published at https://www.mtin.net/blog/internet-routing-registries/ 

It has been updated form grammar, but I am working on an updated version of this,

Routing Registries are a mysterious underpinning of the peering and BGP world. To many, they are arcane and complicated. If you have found this article you are at least investigating the use of a registry. Either that or you have run out of fluffy kittens to watch on YouTube. Either way, one of the first questions is “Why use a routing registry”.

As many of us know BGP is a very fragile ecosystem. Many providers edit access lists in order to only announce prefixes they have manually verified someone has the authority to advertise. This is a manual process for many opportunities for error. Any time a config file is edited errors can occur. Either typos, misconfiguration, or software bugs.

Routing registries attempt to solve two major issues. The first is automating the process of knowing who has the authority to advertise what. The second is allowing a central repository of this data.

So what is a routing Registry?
From Wikipedia: An Internet Routing Registry (IRR) is a database of Internet route objects for determining, and sharing route and related information used for configuring routers, with a view to avoiding problematic issues between Internet service providers.

The Internet routing registry works by providing an interlinked hierarchy of objects designed to facilitate the organization of IP routing between organizations, and also to provide data in an appropriate format for automatic programming of routers. Network engineers from participating organizations are authorized to modify the Routing Policy Specification Language (RPSL) objects, in the registry, for their own networks. Then, any network engineer, or member of the public, is able to query the route registry for particular information of interest.

What are the downsides of a RR?
Not everyone uses routing registries. So if you only allowed routes from RR’s you would get a very incomplete view of the Internet and not be able to reach a good amount of it.

Okay, so if everyone doesn’t use it why should i go to the trouble?
If you are at a formal Internet Exchange (IX) you are most likely required to use one. Some large upstream providers highly encourage you to use one to automate their process.

What are these objects and attributes?
In order to participate you have to define objects. The first one you create is the maintainer object. This is what the rest of the objects are referenced to and based on. Think of this as setting up your details in the registry.

From this point you setup “object types”. Object types include:
as-set
aut-num
inet6num
inetnum
inet-rtr
key-cert
mntner
route
route6
route-set
If you want to learn more about each of these as well as templates visit this ARIN site.

So what do I need to do to get started?
The first thing you need to do is set up your mntner object in the registry. I will use ARIN as our example. You can read all about it here:https://www.arin.net/resources/routing/.

You will need a couple of things before setting this up
1.Your ARIN ORGID
2.Your ADMIN POC for that ORGID
3.Your TECH POC for that ORGID

Once you have these you can fill out a basic template and submit to ARIN.

mntner: MNT-YOURORGID
descr: Example, Inc.
admin-c: EXAMPLE123-ARIN
tech-c: EXAMPLE456-ARIN
upd-to: hostmaster@example.net
mnt-nfy: hostmaster@example.net
auth: MD5-PW $1$ucVwrzQH$zyamFnmJ3XsWEnrKn2eQS/
mnt-by: MNT-YOURORGID
referral-by: MNT-YOURORGID
changed: hostmaster@example.net 20150202
source: ARIN

The templates is very specific on what to fill out. The mnt-by and referral-by are key to following instructions. MD5 is another sticking point. The process is documented just in a couple of places. In order to generate your MD5-PW follow these instructions.

1. Go to https://apps.db.ripe.net/crypt/ Enter in a password. Make sure you keep this cleartext password as you will need it when sending future requests to ARIN’s Routing Registry.
2. Submit the password to get the md5 crypt password. Keep this password for your records, as you may need it when interacting with ARIN’s IRR in the future.
3. Add the following line to your mntner object template in the text editor.
auth: MD5-PW
Our example above has a MD5 password already generated.
Once this is done and created you can add objects. The most commonly added objects are your ASN and IP space.

Create your ASN object using the as-num template

aut-num: AS65534
as-name: EXAMPLE-AS
descr: Example, Inc.
descr: 114 Pine Circle
descr: ANYWHERE, IN 12345
descr: US
import: from AS65535 accept ANY
import: from AS65533 accept AS65534
export: to AS65533 announce ANY
export: to AS65535 announce AS2 AS65533
admin-c: EXAMPLE456-ARIN
tech-c: EXAMPLE123-ARIN
mnt-by: MNT-YOURORGID
changed: user@example.com 20150202
source: ARIN
password:

The things to know about the above template are the import and export attributes.

Now on to adding IP space
Suppose you have IP space of 192.0.2.0/24 Your template would look like:

inetnum: 192.0.2.0 – 192.0.2.255
netname: EXAMPLE-NET
descr: Example, Inc.
descr: 115 Oak Circle
descr: ANYWHERE, IN 12345
country: US
admin-c: EXAMPLE123-ARIN
tech-c: EXAMPLE456-ARIN
notify: user@example.com
mnt-by: MNT-YOURORGID
changed: user@example.com 20150202
source: ARIN
password:

The password attribute is the cleartext password for your MD5 key.

Further Reading:
Using RPSL in practice

NANOG IRR

NLOG ring for network operators

From their web-site

To encourage and provide a streamlined way of cooperating I introduce the “NLNOG RING”. In essence the deal is very simple: you make a (virtual) machine available to the RING, and you gain access on all servers which are part of the project, hence the name “RING”.

A great example would be to launch a traceroute from 80 servers in different networks and quickly get the results instead of waiting till somebody has the time to run some tests for you.

Participation

Participation is open to everybody who meets the following requirements:

  • You are a network operator
  • The organisation you work for has BGP routers connected to the “Default Free Zone” and maybe even IXP’s.
  • Your organisation has its own ASN, IPv4 and IPv6 prefix(es).
  • You have enable or configure rights on those routers.
  • You are involved in the networkers community.
  • You have permission from your organisation to become involved in the NLNOG RING.

 

My Mum 2019 BGP presentation

This content is for Patreon subscribers of the j2 blog. Please consider becoming a Patreon subscriber for as little as $1 a month. This helps to provide higher quality content, more podcasts, and other goodies on this blog.
To view this content, you must be a member of Justin Wilson's Patreon at $0.01 or more
Already a qualifying Patreon member? Refresh to access this content.

Hulu and Geolocation issues solved

Recently I received some IP space from Arin and every geolocation provider I tried came back with proper information.  However, when we went live with these IPs Hulu and others had issues with them.

When you have these issues the first place to go to is:
http://thebrotherswisp.com/index.php/geo-and-vpn/

This link will answer many of the GeoLocaiton issues you may be experiencing.  By e-mailing ipadmin@hulu, as we suggest in the above link, I received the following back.

The IP location provider Hulu uses is Digital Envoy. Can you reach out to them and provide them with the correct geological information for that IP block. You can submit a request using the link below.https://www.digitalelement.com/contact-us/

Digital element does not happen to have an easy contact form or information on their website.  I posted a message on the NANOG mailing list asking for help. I received direct contact at Digital element, which was from a digitalenvoy.net e-mail.  I am awaiting a response back about how to handle these issues in the future.  The Digital Element web-site does not give much information on how to contact them for GeoIP issues.

If you want to read Arin’s response to GeoIp issues:
https://teamarin.net/2018/06/11/ip-geolocation-the-good-the-bad-the-frustrating/

Looking Glass Links

This content is for Patreon subscribers of the j2 blog. Please consider becoming a Patreon subscriber for as little as $1 a month. This helps to provide higher quality content, more podcasts, and other goodies on this blog.
To view this content, you must be a member of Justin Wilson's Patreon at $0.01 or more
Already a qualifying Patreon member? Refresh to access this content.

BGP Local Pref and how it can influence traffic

This content is for Patreon subscribers of the j2 blog. Please consider becoming a Patreon subscriber for as little as $1 a month. This helps to provide higher quality content, more podcasts, and other goodies on this blog.
To view this content, you must be a member of Justin Wilson's Patreon at $0.01 or more
Already a qualifying Patreon member? Refresh to access this content.

Need an ASN, IP space? I have a package for you.

Are you intimidated by getting an ASN to participate in BGP? Do you not have the time to learn all the ins and out of dealing with ARIN to get IP space or routing registries? Let me help you.

The ARIN starter package
-Organization ID and POC IDs setup
-Paperwork to get your own ASN
-Paperwork for your own IPV6 allocation
-Paperwork for an IPV4 /24
-ASN validation
-Documentation and maintenance documents
Cost $899 plus ARIN fees

Add Ons
-RPKI Setup $199
-Routing Registry setup $199

Add-ons are priced to add-on to the starter package.  Please let me know if you need just the add-ons for a proper quote.

Cisco ORF (Outbound route filtering)

Outbound Route Filtering (ORF) is a Cisco proprietary feature that prevents the unnecessary exchanging of routes that are subject to inbound filtering. This, in turn, minimizes bandwidth across the links and reduces CPU cycles upon the router during the processing of the neighbor UPDATE.

ORF works by the router transmitting its inbound filters to its neighbor, which the neighboring router then applies outbound.

great article on how to do this if you are running Cisco routers and your provider is too.

https://community.cisco.com/t5/networking-documents/bgp-orf-outbound-route-filtering-capability/ta-p/3153286